Microsoft’s security update for February 2026 addresses 59 vulnerabilities, six of which have confirmed active exploitation in the wild. Given the presence of these zero-day vulnerabilities, security teams should approach this month's update as an active defense operation rather than standard maintenance.
Among the six critical findings are three security feature bypass flaws. These vulnerabilities are notable because they allow unauthorized parties to circumvent native protection mechanisms. Additionally, the update resolves two elevation-of-privilege (EoP) issues that could grant administrator access, and one denial-of-service (DoS) vulnerability.
Beyond the actively exploited flaws, Microsoft has flagged five additional CVEs as "more likely" to be targeted. This classification indicates that exploit code could be developed rapidly or that the vulnerabilities affect high-value assets, warranting prioritized remediation.
Security Feature Bypass Vulnerabilities
The February update resolves three bypass flaws: CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514. Because technical details for these issues are publicly available, the risk of broader adoption by threat actors increases.
CVE-2026-21510 (CVSS 8.8) involves a bypass of Windows Shell and Windows SmartScreen. This vulnerability permits the execution of arbitrary code without user consent or warning prompts. Exploitation requires the user to interact with a malicious file.
CVE-2026-21513 (CVSS 8.8) impacts the MSHTML framework. In this scenario, a specially crafted HTML file or shortcut link can deceive the browser and operating system into executing the file as code rather than rendering it as data.
CVE-2026-21514 (CVSS 7.8) affects Microsoft Word and relies on user interaction. If a user opens a modified Word document, the vulnerability allows the bypass of OLE security controls in Microsoft 365 and Microsoft Office, leading to code execution. This follows a related out-of-band patch issued for Office vulnerability CVE-2026-21509 on January 26.
Jack Bicer, director of vulnerability research at Action1, notes that security feature bypasses can increase the efficacy of phishing campaigns. In enterprise environments, these flaws may help unauthorized code execution and system compromise.
Remediation is particularly important given the ubiquity of the affected components. Word and MSHTML are foundational to the Windows ecosystem. Mike Walters, president and co-founder of Action1, emphasizes that vulnerabilities like CVE-2026-21510 are significant because they circumvent SmartScreen and Windows Shell protections. Because Windows Shell is used by nearly all users, the potential attack surface is broad, making patching the most effective restriction method.
Elevation of Privilege and Denial of Service
The remaining zero-day vulnerabilities affect core Windows services:
CVE-2026-21519 (CVSS 6.2) affects Desktop Windows Manager.
CVE-2026-21533 (CVSS 6.2) affects Windows Remote Desktop Services.
Both vulnerabilities allow a threat actor to escalate privileges from a standard user to administrator level.
CVE-2026-21525 (CVSS 6.2) resides in the Windows Remote Access Connection Manager and enables a local denial-of-service condition. Ryan Braunstein, security manager at Automox, explains that a standard user account could execute a script to crash the RAS manager service. While this flaw does not permit data exfiltration or code execution, it presents a risk of operational disruption.
Cloud and Infrastructure Considerations
While the total count of 59 CVEs is lower than the 112 reported in January, the impact remains significant. Tyler Reguly, associate director of security R&D at Fortra, advises teams to look beyond the numbers.
Reguly highlights 10 CVEs affecting Azure. Although three of these—CVE-2026-21532 (CVSS 8.2), CVE-2026-24300 (CVSS 9.8), and CVE-2026-24302 (CVSS 8.6)—are listed as "No Customer Action Required," verifying the security of cloud and cloud-adjacent environments remains a prudent step. For the remaining Azure vulnerabilities, teams should review the necessary updates to ensure comprehensive protection.